Internet Archive's in-browser bookreader "theater" requires JavaScript to be enabled. It appears your browser does not have it turned on. Please see your browser settings for this feature.

Inferring the presence of reverse proxies through timing analysis

by: Alexander, Daniel R.

Publication date: 2015-06-01 00:00:00

Topics: Active Measurement, Timing Analysis, Reverse Proxy, Machine Learning, Inference, Classification

Publisher: Monterey, California: Naval Postgraduate School

Collection: navalpostgraduateschoollibrary; fedlink

Language: English

Rights: This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.

This thesis presents a method for inferring the presence of a reverse proxy server using packet timing analysis from the vantage point of a client system. This method can determine whether Internet users are receiving web content from the actual source or from some potentially spoofed proxy device; leading to better risk assessment and understanding of the cyber terrain. By using only the measurement and comparison of three-way handshake and content request/delivery packet round trip times, we identify an accurate classifier that detects the presence of a reverse proxy server with over 98% accuracy. This is an improvement over other inference methods because all measurements can be done from an external client machine. A secondary yet significant contribution is the robust data set that was produced as a result of this research. We have collected a set of over 6 million data points from a known set of 30 globally dispersed machines, which was instrumental in our research efforts and will be used for further studies and exploration.